Menu
▾
▴
RE: [webmin-l] Understanding daily "LogWatch"?
|
From: Vernon J. S. <ve...@ve...> - 2005-09-19 00:12:07
|
I have a custom perl script that might help block ssh brute force attacks. Also webmin has a feature that prevent brute force attacks. ------------------------------------------ Vernon J. Spangler http://www.vernonspangler.org/ (520) 512-8410 Home (520) 990-1863 Cell ve...@ve... ------------------------------------------ Powered by Windows XP Professional Sent by Microsoft Outlook 2003 -----Original Message----- From: dav...@da... [mailto:dav...@da...] Sent: Sunday, September 18, 2005 4:33 PM To: web...@li... Subject: RE: [webmin-l] Understanding daily "LogWatch"? Do you know who this IP address belongs to? Otherwise it may be some "hack" program trying to get into your system using common names and "idiot" passwords. If you look at the pattern they are all 'common' first names, most being hit for 5 times. If the IP address isn't one you work with, I'd consider blocking the IP all together. David Coley Codecipher -----Original Message----- From: web...@li... [mailto:web...@li...] On Behalf Of pr...@pr... Sent: Sunday, September 18, 2005 7:23 PM To: web...@li... Subject: [webmin-l] Understanding daily "LogWatch"? From: Prodos (Melbourne, Australia) Good morning. I receive a daily email from my WEBMIN server called "LogWatch for prodos" It starts off like this .... - - - ################### LogWatch 4.3.2 (02/18/03) #################### Processing Initiated: Mon Sep 19 04:02:04 2005 Date Range Processed: yesterday Detail Level of Output: 0 Logfiles for Host: prodos ################################################################ - - - ... and then lists all sorts of things, such as this .... - - - sshd: Invalid Users: Unknown Account: 2614 Time(s) Authentication Failures: mail (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s) unknown (220.229.161.171 ): 2211 Time(s) root (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 85 Time(s) sshd (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s) nobody (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s) nobody (220.229.161.171 ): 3 Time(s) sshd (220.229.161.171 ): 9 Time(s) [etc.] - - - - And this .... - - - - --------------------- SSHD Begin ------------------------ Failed logins from these: Aaliyah/password from 200.102.192.82: 5 Time(s) Aaron/password from 200.102.192.82: 5 Time(s) Aba/password from 200.102.192.82: 5 Time(s) Abel/password from 200.102.192.82: 5 Time(s) Chicago/password from 220.229.161.171: 6 Time(s) Christ/password from 220.229.161.171: 3 Time(s) Dakota/password from 220.229.161.171: 6 Time(s) Jewel/password from 200.102.192.82: 5 Time(s) Jordan/password from 220.229.161.171: 6 Time(s) [etc.] - - - And this ... - - - **Unmatched Entries** Illegal user zena from 220.229.161.171 Illegal user zena from 220.229.161.171 Illegal user purple from 220.229.161.171 Illegal user purple from 220.229.161.171 [etc.] - - - Some of the lists are VERY long! Is there a reference guide somewhere that can help me interpret what the different categories and listed items mean and what action is advisable in each case? Thanks for any help on this. Best Wishes, PRODOS http://prodos.thinkertothinker.com ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.1/104 - Release Date: 9/16/2005 ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list |
